1. #1
    Sencha Premium Member lorezyra's Avatar
    Join Date
    Dec 2007
    Location
    Japan -- 日本
    Posts
    636
    Vote Rating
    15
    lorezyra will become famous soon enough lorezyra will become famous soon enough

      0  

    Default Ext.util.base64

    Ext.util.base64


    I'm curious as to why there are no utility functions for base64/AES/etc in ExtJS.

    I know that we should use HTTPS to ensure encryption between client/server.
    However, I want to add another layer of security above that.
    Simply put, I don't trust that HTTPS is 100% infallible. Especially when things like HeartBleed and potential back-doors are intentionally written into the security protocols (think big-gov or NSA).


    There are too many news reports where the DB was compromised and user data stolen. I use multiple layers of ciphers and one-way salts for sensitive data. This may be overkill, but better than being liable for millions of dollars.


    So... Why do we have no utility classes for ciphers and encryption? There are plenty of singleton JavaScript libraries out there. Why not for ExtJS as well?
    Perfection as a goal is a nice idea that can point one in a specific direction. However, since "perfection" is an ever changing (evolving?) and moving target, one must admit that perfection can never be obtained...

    When in doubt, check the d4mn source code!
    ================================================
    And here are my terms...
    1. I don't care if you use my source code. (Known as "Code.")
    2. I don't care if I get any monetary compensation.
    3. I do care to receive credit for Code provided. So, please keep my name in the comments for Code provided.
    4. Code is provided without warranty "AS-IS" and I claim absolutely no warranty nor liability to the quality, security, and run-ability on any platform.
    5. By using Code, you accept all risk inherit with Code regardless if Code has known and yet to be discovered bugs.
    6. You are welcome to change and improve the Code to best meet your needs.
    7. I don't care if you use the Code in a commercial or open-source project.
    8. You are not required to contact me prior to using the Code.
    ================================================
    Simple. Enjoy.

  2. #2
    Sencha - Support Team
    Join Date
    Feb 2013
    Location
    California
    Posts
    3,696
    Vote Rating
    70
    Gary Schlosberg is a jewel in the rough Gary Schlosberg is a jewel in the rough Gary Schlosberg is a jewel in the rough

      1  

    Default


    It sounds like you have already found solutions, but at the risk of being redundant, here's a link that might help:
    http://ntt.cc/2008/01/19/base64-enco...avascript.html

    As far as a built-in solution, I know of none currently, but you can file a Bug (indicating that it is a Feature Request) and I can submit a request to our developers on your behalf so that a future addition will be considered.
    Get on the Fast Track with Sencha Training http://sencha.com/training

    Are you a Sencha products veteran who has wondered what it might be like to work at Sencha? If so, please reach out to our recruiting manager: sheryl@sencha.com

  3. #3
    Sencha - Ext JS Dev Team evant's Avatar
    Join Date
    Apr 2007
    Location
    Sydney, Australia
    Posts
    16,951
    Vote Rating
    636
    evant has a reputation beyond repute evant has a reputation beyond repute evant has a reputation beyond repute evant has a reputation beyond repute evant has a reputation beyond repute evant has a reputation beyond repute evant has a reputation beyond repute evant has a reputation beyond repute evant has a reputation beyond repute evant has a reputation beyond repute evant has a reputation beyond repute

      2  
    Evan Trimboli
    Sencha Developer
    Twitter - @evantrimboli
    Don't be afraid of the source code!

  4. #4
    Sencha Premium Member lorezyra's Avatar
    Join Date
    Dec 2007
    Location
    Japan -- 日本
    Posts
    636
    Vote Rating
    15
    lorezyra will become famous soon enough lorezyra will become famous soon enough

      0  

    Default


    Quote Originally Posted by evant View Post
    The crux of the argument is: "It's the browser, stupid!" (Not the closed and "secure" server environment.)

    Even the crypto modules for Node.JS are written in C/C++. I agree that the browser is hardly the best place to solely rely upon encryption between the client and server. It does, however, make a *cheap* proof-of-concept environment for mathematical cryptos.


    For my use case, I have the base64, which I can use to verify paths between server and client. And it's that extra layer that I can prove to customers that assures them that I have their security in mind. (This on top of the SSL certificate...)


    While I admit my attempts will certainly fail against the determined mind of a willful hacker, it requires that extra bit of skill to break in.
    Perfection as a goal is a nice idea that can point one in a specific direction. However, since "perfection" is an ever changing (evolving?) and moving target, one must admit that perfection can never be obtained...

    When in doubt, check the d4mn source code!
    ================================================
    And here are my terms...
    1. I don't care if you use my source code. (Known as "Code.")
    2. I don't care if I get any monetary compensation.
    3. I do care to receive credit for Code provided. So, please keep my name in the comments for Code provided.
    4. Code is provided without warranty "AS-IS" and I claim absolutely no warranty nor liability to the quality, security, and run-ability on any platform.
    5. By using Code, you accept all risk inherit with Code regardless if Code has known and yet to be discovered bugs.
    6. You are welcome to change and improve the Code to best meet your needs.
    7. I don't care if you use the Code in a commercial or open-source project.
    8. You are not required to contact me prior to using the Code.
    ================================================
    Simple. Enjoy.

  5. #5
    Sencha Premium Member lorezyra's Avatar
    Join Date
    Dec 2007
    Location
    Japan -- 日本
    Posts
    636
    Vote Rating
    15
    lorezyra will become famous soon enough lorezyra will become famous soon enough

      0  

    Default


    FYI: Here's the Git-Hub repo I have just thrown online...
    git@github.com:lorezyra/extjs-crypto.git


    https://github.com/lorezyra/extjs-crypto


    I plan to add MD5, HMAC, SHA to it later...



    **Also added bug report (feature request):
    http://www.sencha.com/forum/showthre...pto-to-library
    Last edited by lorezyra; 18 Apr 2014 at 1:54 AM. Reason: add direct URL to github
    Perfection as a goal is a nice idea that can point one in a specific direction. However, since "perfection" is an ever changing (evolving?) and moving target, one must admit that perfection can never be obtained...

    When in doubt, check the d4mn source code!
    ================================================
    And here are my terms...
    1. I don't care if you use my source code. (Known as "Code.")
    2. I don't care if I get any monetary compensation.
    3. I do care to receive credit for Code provided. So, please keep my name in the comments for Code provided.
    4. Code is provided without warranty "AS-IS" and I claim absolutely no warranty nor liability to the quality, security, and run-ability on any platform.
    5. By using Code, you accept all risk inherit with Code regardless if Code has known and yet to be discovered bugs.
    6. You are welcome to change and improve the Code to best meet your needs.
    7. I don't care if you use the Code in a commercial or open-source project.
    8. You are not required to contact me prior to using the Code.
    ================================================
    Simple. Enjoy.

Thread Participants: 2